在之前的文章有提到想用kallsyms_lookup做出kernel module memory detector,剛好今天有空抽點時間做出來,不過在實做的過程中發現,要改動的地方還真多阿,在hack的過程中,絕大部份都是苦工,剪剪貼貼一大堆,不過講到這邊,我突然想到我去年有一次寫程式寫到睡著,因為從頭到尾都剪貼,又一堆fopen, fread,fclose,說老實話,這種程式寫久了會頭暈想吐…
搭配kallsyms_lookup,我們除了可以抓出function name之外,還可以抓出module name,所以我把kallsyms_lookup埋在kmalloc呼叫中,但是,kmalloc被定義為inline function,所以不可能從__builtin_return_address拉出caller address,必需把kmalloc改為非inline function,所以我把kmalloc拉到slab.c,並加入以下幾行
- void *kmalloc(size_t size, gfp_t flags)
- {
- char *modname=NULL;
- const char *name=NULL;
- unsigned long kaoffset, kasize;
- char namebuf[KSYM_NAME_LEN];
-
- unsigned long caller = (unsigned long) __builtin_return_address(0);
- name = kallsyms_lookup(caller, &kasize, &kaoffset, &modname, namebuf);
- if (modname)
- {
- printk("modname %s\n",modname);
- addElement(modname,size,0);
- }
addElement是我們自己寫的函式,主要是在收集由kmalloc攔截到的資訊,有興趣的朋友可以自己寫自己的hook function
在kfree function內也擺上hook function,大概如下,記得要把obj_size-20,因為kmalloc會多佔20bytes空間於memory heap
- void kfree(const void *objp)
- {
- struct kmem_cache *c;
- unsigned long flags;
- //hack
- char *modname=NULL;
- const char *name=NULL;
- unsigned long kaoffset, kasize;
- char namebuf[KSYM_NAME_LEN];
-
-
- if (unlikely(ZERO_OR_NULL_PTR(objp)))
- return;
- local_irq_save(flags);
- kfree_debugcheck(objp);
- c = virt_to_cache(objp);
- //hack
- unsigned long caller = (unsigned long) __builtin_return_address(0);
- name = kallsyms_lookup(caller, &kasize, &kaoffset, &modname, namebuf);
- if (modname)
- {
- printk("modname %s\n",modname);
- addElement(modname,0,obj_size(c)-20);
- }
- //hack end
- debug_check_no_locks_freed(objp, obj_size(c));
- debug_check_no_obj_freed(objp, obj_size(c));
- __cache_free(c, (void *)objp);
- local_irq_restore(flags);
- }
試著去跑某隻會kmalloc的kernel module,會得到如下圖的資訊

Regular expression-跟brainfuck差不多的東西 (2009-11-13 15:37)
Reading file in kernel-簡單但實用 (2009-10-13 15:18)
Linux file system for dummies-只花你45分鐘 (2009-08-19 15:40)
OPENSSL-TCP SSL初心者之路 (2009-07-16 15:16)
NAPI與pure interrupt driver的效能比較 (2009-04-29 19:06)
usermode helper-來自kernel的呼喚 (2009-04-21 16:19)
kernel space coding-如履薄冰 (2009-03-26 09:52)
readahead與posix_advise-預讀取是萬能靈丹? (2009-03-06 15:54)
Who call me – kernel版 (2009-02-19 10:53)